This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] Just another lookaside zone

Next message (by thread): [dns-wg] Just another lookaside zone

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Lutz Donnerhacke lutz at iks-jena.de
Thu Feb 2 18:40:07 CET 2006

-----BEGIN PGP SIGNED MESSAGE-----

In order to extend the deployment of security technology, we switch to
DNSSEC for us and our customers. Usually the collection of SEP keys on
each resolver host is hard to maintain. This is the reason why, we set
up an other DLV zone. The zone is automatically rechecked for new keys
and subentries on each zone. Please allow AXFR (auth by DNSSEC key) to
provide all necessary data. The bind lookaside mechanism is limited to
small steps, so a many DLV entries as possible are needed. I copy also
the data from dlv.verisignlabs.com, so you may even trust them.    ;-)
 
Necessary configuration in /etc/named.conf:

  options {
        ...;
        dnssec-enable yes;
        dnssec-lookaside "." trust-anchor "dnssec.iks-jena.de";
  };
  
  trusted-keys {
        "iks-jena.de." 257 3 5 "AQPRteOmx973cbeIMigT7nciz3dcbt8ssZPG
                                OK2vtPQlEaZO2fKgnm1Fo6FPWcGqKv6O1Zpj
                                Ew2upKVDnzwMCRHpGe0Qh2TawStviww/jxUt
                                joZom9Hy6uIkTvo7TxqnWg55LoHlcsl1kxsF
                                1PsM2Z88F1XhXSrUtkiQnViXbfzR0joDE8xG
                                J9zRNuzr9Jik+bcv4S4KFOE/Ocn4F5vF7+eo
                                jz9m3/u0gvQdvgFsb7OHr9cYA5GeG++cJWGG
                                6xFF+yWEDdWuu2A7IJM3EQFWLr0kGDS6oWo/
                                5Bz4PlrURjU5wahM1iwLnbKXhQQempzPYnSE
                                s1CW+KH73WjMa76Dna9B";
  };

It's recommended to set up a secondary for "dnssec.iks-jena.de".
We send out notifies, too.

I did not manage to install a web form right now. If you like to
get listed, please send me an email.

I'm looking for a *stable* ipv6 and dnssec able secondary server
for our zones.  If you like to exchange secondary DNS service in
different AS, please contact me via OpenPGP mail.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQCiAwUBQ+JD3pFeTizbCJMJAQH3+QRmNxR+RIQYqlrEv2IbFBsAheZINPbSbUnw
GkBCUvnTJIHmE9s2em0hxkUR+QQOpaih4szklG2B96aZ04eds5CH9ujovdfTMp0P
rb1ri6SIdvHPez50Yp9EbG51Dsdde/8eQgU3P7HHU8ZXUY9x8d0EkMu9fHrsLgkv
66NNL6ezk9S25aoTknE51FlxknX1
=PyvH
-----END PGP SIGNATURE-----

Next message (by thread): [dns-wg] Just another lookaside zone

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]